CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3965
https://notcve.org/view.php?id=CVE-2019-3965
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro document_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3964
https://notcve.org/view.php?id=CVE-2019-3964
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro doc_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3963
https://notcve.org/view.php?id=CVE-2019-3963
20 Aug 2019 — In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session. En OpenEMR 5.0.1 y versiones anteriores, controller.php contiene una vulnerabilidad XSS reflejada en el parámetro patient_id. Esto podría permitir a un atacante ejecutar código arbitrario en el contexto de la sesión de un usuario. • https://www.tenable.com/security/research/tra-2019-40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 34%CPEs: 1EXPL: 8CVE-2019-14530 – OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
https://notcve.org/view.php?id=CVE-2019-14530
13 Aug 2019 — An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. Se descubrió un problema en custom / ajax_download.php en OpenEMR antes de 5.0.2 a través del parámetro fileName. Un atacante puede descargar cualqu... • https://packetstorm.news/files/id/163375 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14529
https://notcve.org/view.php?id=CVE-2019-14529
02 Aug 2019 — OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php. OpenEMR anterior a versión 5.0.2, permite la inyección SQL en el archivo interface/forms/eye_mag/save.php. • https://github.com/Wezery/CVE-2019-14529 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17181
https://notcve.org/view.php?id=CVE-2018-17181
17 May 2019 — An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php. Un problema fue descubierto en OpenEMR antes de 5.0.1 Patch 7. La SQL Injection existe en las funciones SaveAudit en /portal/lib/paylib.php y portalAudit en /portal/lib/appsql.class.php. • https://github.com/openemr/openemr/commit/4963fe4932a0a4e1e982642226174e9931d09541 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17180
https://notcve.org/view.php?id=CVE-2018-17180
17 May 2019 — An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php. Un problema fue descubierto en OpenEMR antes de la versión 5.0.1 del Patch 7 . Directory Traversal existe por medio de docid = .. / to /portal/lib/download_template.php. • https://github.com/openemr/openemr/commit/4963fe4932a0a4e1e982642226174e9931d09541 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2018-17179 – OpenEMR 5.0.1 Patch 6 SQL Injection
https://notcve.org/view.php?id=CVE-2018-17179
17 May 2019 — An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php. Un problema fue descubierto en OpenEMR antes del Patch 5.0.1. Hay SQL Injection en la función make_task en /interface/forms/eye_mag/php/taskman_functions.php a través de /interface/forms/eye_mag/taskman.php. • https://packetstorm.news/files/id/180735 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18035
https://notcve.org/view.php?id=CVE-2018-18035
02 Apr 2019 — A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. Una vulnerabilidad en flashcanvas.swf en OpenEMR, en versiones anteriores a la 5.0.1; Parche 6, podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) en un sistema objetivo. • https://www.open-emr.org/wiki/index.php/OpenEMR_Patches • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-1000219
https://notcve.org/view.php?id=CVE-2018-1000219
20 Aug 2018 — OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL.. OpenEMR v5_0_1_4 contiene una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro "scan" en la línea #41 de interface/fax/fax_view.php que puede resul... • https://github.com/openemr/openemr/blob/1b495b0b3cd16daf1e5f085145d9e19dea479c7f/interface/fax/fax_view.php#L41 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •